locked
Cloud DP for SCCM - Network Architecture Question RRS feed

  • Question

  • We currently have a full VPN tunnel back to our corporate data center. All of our remote clients are routed back to corporate and make a hairpin turn back to the internet if they attempt to access anything outside of our network.  In other words, we do not have any sort of split tunnel configuration.

    With that said, we have multiple remote locations that only have client workstations and no servers, NAS devices, or anything that can be used for a distrib point we SCCM.  We have been using workstations as distrib points for SCCM, but they are leased and with so many locations it becomes a management night mare to keep track of when these distribution points come off of lease. With that said, is there any way that we could utilize cloud distribution points without a split tunnel network? Is it not possible to allow exclusive tunnel to the a cloud DP based on an IP range without having a totally split tunnel network?

    For those who may have faced a similar situation or have knowledge in this area -- any help is appreciated.

    We are a bit concerned our network would be very congested if we didn't look at routing at least the DP traffic through a split tunnel.

    Friday, May 1, 2015 6:49 PM

Answers

  • hi,

    BranchCache in Distributed mode works really well alongside SCCM at locations without a server, if planned and managed correctly. 

    Because the cache is distributed, there's more chance that even if one of your workstations goes off lease - the content should still be available locally, and it's easy enough to 'seed' content to all your workstations if required

    We have a starter page if you need to get up to speed with all things BranchCache

    http://2pintsoftware.com/microsoftbranchcache 


    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware


    • Edited by Phil Wilcock Monday, May 4, 2015 7:53 PM more info!
    • Marked as answer by wf88 Tuesday, May 5, 2015 1:55 PM
    Monday, May 4, 2015 7:51 PM
  • hi,

    yes that correct. BUT!

    You MUST make sure that BranchCache on the server (DP) has created the Content Information (hashes) for the Application. If the content information is not there, the first SCCM client download only TRIGGERS the BranchCache Server to create the content - then it's the Second client that will do the BranchCache magic. So long as you remember that - it will all work fine.

    Depending on the server OS version, you can manually make sure that the BranchCache Content Information is there by using Powershell - or we have a free tool on our site - HashiBashi.exe that can be used to automate this too.

    BranchCache can tricky if you miss anything out in the congif steps so I recommend that you read the step-by-step MS docs first.

    thanks

    Phil



    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    • Marked as answer by wf88 Tuesday, May 5, 2015 2:50 PM
    Tuesday, May 5, 2015 2:48 PM

All replies

  • As you haven't mentioned the usage, yet, before deciding if it's a valid option for your situation, please be sure that you are aware of its limitations. For that information see: https://technet.microsoft.com/en-us/library/b2516212-e524-4031-9a1f-7b768084304d#BKMK_PlanCloudDPs

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Jason Sandys [MSFT]MVP Saturday, May 2, 2015 6:28 PM
    • Unproposed as answer by wf88 Tuesday, May 5, 2015 1:54 PM
    Friday, May 1, 2015 6:59 PM
  • I'm not a networking guy so take my answer with a grain of salt.  If you cannot enable split tunneling for those clients to access the internet WITHOUT going back to corp I don't see the benefit of a cloud DP.  Also, as Peter mentioned, there are limitations with a cloud DP. 

    When I have discussed potential cloud DPs with my customers, we determined that the DP would only be used for Applications.  You can't image from a cloud DP and software updates have the option to go to the internet if your DP doesn't have the package, which would save you money, so in the end, only apps on the cloud DP.

    Without knowing how many clients and the number of remote locations, if placing remote DPs is out of the question, I would leverage BranchCache and have the devices reach back to corp for content.

    Friday, May 1, 2015 8:00 PM
  • Is it not possible to allow exclusive tunnel to the a cloud DP based on an IP range without having a totally split tunnel network?

    Ultimately, this has nothing to do with ConfigMgr so there's nothing that ConfigMgr can do to help you here; however, as noted one of the other threads, BranchCache is a ConfigMgr centric solution here that would address you issue nicely.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Saturday, May 2, 2015 6:30 PM
  • Is it not possible to allow exclusive tunnel to the a cloud DP based on an IP range without having a totally split tunnel network?

    Ultimately, this has nothing to do with ConfigMgr so there's nothing that ConfigMgr can do to help you here; however, as noted one of the other threads, BranchCache is a ConfigMgr centric solution here that would address you issue nicely.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thanks Jason.  As mentioned, many of our locations only have client workstations.  No servers, NAS devices, etc.  All of these workstations come and go off lease so how would BranchCache help us with SCCM?  I cannot see Hosted BranchCache being of benefit because the host workstation would just go off lease just like the workstations do now that are configured as SCCM distribution points. 

    I am not sure that Distributed BranchCache would be of much benefit either. 

    Monday, May 4, 2015 2:53 PM
  • Also, to utilize BranchCache we would still have to purchase a server to enable branch cache at any location where we only had workstations...if I am not mistaken.  I think Server 08 Enterprise or DataCenter is required so we would still be looking at acquiring hardware.
    Monday, May 4, 2015 5:39 PM
  • BranchCache is available, in client operating systems, since Windows 7.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, May 4, 2015 6:13 PM
  • hi,

    BranchCache in Distributed mode works really well alongside SCCM at locations without a server, if planned and managed correctly. 

    Because the cache is distributed, there's more chance that even if one of your workstations goes off lease - the content should still be available locally, and it's easy enough to 'seed' content to all your workstations if required

    We have a starter page if you need to get up to speed with all things BranchCache

    http://2pintsoftware.com/microsoftbranchcache 


    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware


    • Edited by Phil Wilcock Monday, May 4, 2015 7:53 PM more info!
    • Marked as answer by wf88 Tuesday, May 5, 2015 1:55 PM
    Monday, May 4, 2015 7:51 PM
  • BranchCache is available, in client operating systems, since Windows 7.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude


    Thanks Peter.  I think I totally misunderstood the requirements.
    Monday, May 4, 2015 8:32 PM
  • hi,

    BranchCache in Distributed mode works really well alongside SCCM at locations without a server, if planned and managed correctly. 

    Because the cache is distributed, there's more chance that even if one of your workstations goes off lease - the content should still be available locally, and it's easy enough to 'seed' content to all your workstations if required

    We have a starter page if you need to get up to speed with all things BranchCache

    http://2pintsoftware.com/microsoftbranchcache 


    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware


    Thanks Phil.  I will check out the site. 

    One issue I still see though is having to rotate distrib points due to workstations going off lease.  Distributed BranchCache works well for some things, but won't we still have to keep track of workstations that are configured as distribution points since the go off lease? 

    Essentially, we have two issues here:

    1) Our workstations configured as DP's for SCCM go off lease and we have to keep track of all this and replace the DP in SCCM for many, many satellite offices that have no server.

    2) Sometimes a DP is turned off and we cannot distribute content as we would like without calling or waiting for it to be turned on. 

    I began looking into cloud DP's or branchcache to avoid having to invest in hardware for many satellite offices.  I just don't see how distributed branch cache would help us with either of these, but I could be wrong.  I will read through the site you posted.

    Thanks.


    • Edited by wf88 Monday, May 4, 2015 8:38 PM
    Monday, May 4, 2015 8:35 PM
  • hi,

    using BranchCache you should be able to remove the requirement for a DP at each site, so you wouldn't have to track those workstations.

    Using BITS Policies you can restrict bandwidth usage at times of you choice, and with some careful planning you can make sure that BranchCache/BITS works just as well as having a DP in that location.

    As with all low bandwidth sites, there some calculations to be done regarding number/size of content that needs to be distributed and when.

    cheers

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Monday, May 4, 2015 8:55 PM
  • hi,

    using BranchCache you should be able to remove the requirement for a DP at each site, so you wouldn't have to track those workstations.

    Using BITS Policies you can restrict bandwidth usage at times of you choice, and with some careful planning you can make sure that BranchCache/BITS works just as well as having a DP in that location.

    As with all low bandwidth sites, there some calculations to be done regarding number/size of content that needs to be distributed and when.

    cheers

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    What if I wanted to utilize SCCM to deploy an application to one of these satellite offices?  Would I not have to push the application to a DP at the satellite office?

    Or I imagine it is possible to have Distrib Branch Cache configured on all workstations and have an SCCM client on all workstations.  I guess I could then have the SCCM client pull the application down to the satellite office and distribute the content via Branch Cache?


    • Edited by wf88 Monday, May 4, 2015 9:13 PM typo
    Monday, May 4, 2015 9:08 PM
  • yep, the second scenario will work.

    SCCM client (using BITS) will start the Download at the specified  'Available from' time - and this time is staggered by SCCM so that all your workstations won't kick off the DL at once.

    So when the first SCCM client starts to DL the Application, it will place it into the BranchCache cache and it will then be available for subsequent clients to grab as they need it. The only thing the other clients will get from the DP is the BranchCache 'content information' (hashes) - they will then search for content locally from BranchCache first.

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Monday, May 4, 2015 9:14 PM
  • yep, the second scenario will work.

    SCCM client (using BITS) will start the Download at the specified  'Available from' time - and this time is staggered by SCCM so that all your workstations won't kick off the DL at once.

    So when the first SCCM client starts to DL the Application, it will place it into the BranchCache cache and it will then be available for subsequent clients to grab as they need it. The only thing the other clients will get from the DP is the BranchCache 'content information' (hashes) - they will then search for content locally from BranchCache first.

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Great.  Thank you.

    For example, if I have a location with 4 workstations.  Each workstation has an SCCM client installed and all have Distributed Branch Cache configured.  I do not have a distribution point in SCCM set up for this location.  I would have to configure the SCCM clients to 'check-in' for any content advertisement at the corporate office/server whatever.  The first SCCM client that finds a content advertisement would download the content and place it in BranchCache.  The other clients would then retrieve the content from the distributed cache before polling over the WAN for any content.  I am wondering how much this would affect the WAN if we have clients constantly checking for content, but all SCCM clients already check for content I believe.

    Am I understanding this correctly?



    • Edited by wf88 Tuesday, May 5, 2015 1:49 PM
    Tuesday, May 5, 2015 1:45 PM
  • hi,

    yes that correct. BUT!

    You MUST make sure that BranchCache on the server (DP) has created the Content Information (hashes) for the Application. If the content information is not there, the first SCCM client download only TRIGGERS the BranchCache Server to create the content - then it's the Second client that will do the BranchCache magic. So long as you remember that - it will all work fine.

    Depending on the server OS version, you can manually make sure that the BranchCache Content Information is there by using Powershell - or we have a free tool on our site - HashiBashi.exe that can be used to automate this too.

    BranchCache can tricky if you miss anything out in the congif steps so I recommend that you read the step-by-step MS docs first.

    thanks

    Phil



    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    • Marked as answer by wf88 Tuesday, May 5, 2015 2:50 PM
    Tuesday, May 5, 2015 2:48 PM
  • hi,

    yes that correct. BUT!

    You MUST make sure that BranchCache on the server (DP) has created the Content Information (hashes) for the Application. If the content information is not there, the first SCCM client download only TRIGGERS the BranchCache Server to create the content - then it's the Second client that will do the BranchCache magic. So long as you remember that - it will all work fine.

    Depending on the server OS version, you can manually make sure that the BranchCache Content Information is there by using Powershell - or we have a free tool on our site - HashiBashi.exe that can be used to automate this too.

    BranchCache can tricky if you miss anything out in the congif steps so I recommend that you read the step-by-step MS docs first.

    thanks

    Phil



    Phil Wilcock http://2pintsoftware.com @2pintsoftware


    Thanks for all of your help!
    Tuesday, May 5, 2015 2:50 PM
  • In Summary:

    Functionally, BranchCache replaces/obviates the need for DPs at remote locations by offloading content caching and sharing responsibilities at those remote locations to normal ConfigMgr clients in a dynamic fashion without having to configure any additional infrastructure. Think BitTorrent.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, May 5, 2015 9:58 PM